Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2013-093

HistoryNov 20, 2013 - 12:00 a.m.

SA-CONTRIB-2013-093 - Invitation - Access Bypass

2013-11-2000:00:00

Drupal Security Team

www.drupal.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.967 High

EPSS

Percentile

99.7%

JSON

The Invitation module restricts registration to users who have an invite code (for running a private beta).
The module provides default views that don’t check access to views prior to displaying private information like usernames and email addresses.

CVE identifier(s) issued

CVE-2013-7063

Versions affected

Invitation 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Invitation module, there is nothing you need to do.

Solution

If you use the Invitation module for Drupal 7.x, you should disable the module. There is no release with a fix.

Also see the Invitation project page.

Reported by

j1ndustry

Fixed by

Not applicable.

Coordinated by

Greg Knaddison and Lee Rowlands of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/invitation

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/2688277

drupal.org/user/36762

drupal.org/writing-secure-code

drupal.org/user/395439

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.967 High

EPSS

Percentile

99.7%

JSON

Related for DRUPAL-SA-CONTRIB-2013-093